Wireless Client Security Demystified
Jeanette Lee May-Jul, 2007
1. WEP
http://airheads.arub anetwork s.com/article/wireless-client-security-demystified-wep
Wireless client security can be an overwhelming alphabet
soup of acronyms, standards and protocols. In this series of
articles, we will examine the more popular variants in
detail; how they work and how they can be made to work
for you.
The Fundamentals of Security
Before we talk about wireless security as a whole, it’s
worth examining the different types of protocols and
security mechanisms available. These typically fall within
one of three different categories:
• Encryption
• Authentication
• Access control
Most wireless security schemes employ at least one
authentication and one encryption protocol. Some include
access control as well. This ensures wireless devices are
authenticated (we know who they are), their data is
encrypted (no-one can eavesdrop) and their ability to reach
network resources is controlled. This last can be very
important since not all wireless users or devices are trusted
equally.
In this series, I will dedicate each article to a particular
encryption, authentication or access control mechanism or
standard.
In this article, we’ll start at the beginning, with WEP.
WEP Encryption
The first wireless security scheme was the Wired
Equivalent Privacy (WEP) protocol. It was included in
the original IEEE 802.11 standard and was intended to
secure data transmitted over 802.11 networks.
WEP depends upon a static pre-shared key that is
configured on every wireless client before it can connect to
the WLAN. The client passes this key to the wireless
access point (AP). This key is then used to encrypt the
communications between the client and AP. WEP uses the
stream cipher RC4 in combination with CRC-32
checksums for integrity. WEP keys can be of varying
lengths, described as bits.
Basic WEP Encryption
Standard 64-bit WEP uses a 40-bit key, to which a 24-bit
initialization vector (IV) is concatenated to form the RC4
traffic key. A popular alternative is the 128-bit WEP
protocol, which uses a 104-bit key size. Users typically
enter a 128-bit WEP key as a string of 26 Hexadecimal
(Hex) characters (0-9 and A-F). Each character represents
4 bits of the key. 4 * 26 = 104 bits. Adding the 24-bit IV
creates what is then called a 128-bit WEP key. A 256-bit
WEP system is available and even larger sizes could
theoretically be supported. Unfortunately, key size is not
the major security limitation in WEP.
Because RC4 is a stream cipher, the same traffic key must
never be used twice. The purpose of an IV, which is
transmitted as plain text, is to prevent any repetition, but a
24-bit IV is not long enough to ensure this on a busy
network. The way in which the IV is used also opens WEP
to a related key attack. For a 24-bit IV, there is a 50%
probability the same IV will repeat after 5000 packets.
WEP was intended to provide confidentiality that was
comparable to a traditional wired network, hence the name.
However it has been demonstrated many times that WEP is
inherently flawed and trivially broken. Numerous attacks
have been published which show how to recover WEP keys
passively as well as actively within minutes. It can be even
worse if you consider the fact that most wireless equipment
requires the key be entered in hexadecimal format and
many users enter numbers and letters that spell words they
can remember. But given that hex is only the letters A-F
and the numbers 0-9, this makes dictionary attacks even
more trivial.
The major drawbacks of WEP include:
• Static keys are easy to break – the IV value is too short
and keys are constructed such that they are vulnerable
to reuse or weak key attacks; breaking the key
compromises every wireless device and all traffic
• Message integrity – there is no effective detection of
message tampering or replay
• No key management – the protocol directly uses the
master key with all clients. This static key must be
shared somehow with all clients before they are allowed
to associate with the WLAN. WEP makes no provision
for sending out new keys
• No key rotation/updates – there is no automated
mechanism for changing keys. Often, WEP networks go
for months or years with the same key simply because
of the inconvenience of manual key updates
Some vendors have offered a variation of WEP that
attempts to solve these issues with Dynamic WEP.
Dynamic WEP is typically an implementation of the
802.1x protocol that uses WEP for the encryption. Thus,
the 802.1x protocol is used for key management and
distribution; however, once the key is established it
functions like static WEP. (The 802.1x protocol will be
examined in a later part of this series.)
When to use WEP
Although WEP has been widely discredited as a wireless
security mechanism, it does have its uses even today. These
include:
• Simple devices that do not support more advanced
protocols, e.g. wireless phones or older wireless client
devices
• Home use
Whenever possible, dynamic WEP is preferable to static
WEP – however not all devices support this. And of
course, wherever possible, apply other security measures
beyond wireless encryption. For example, the
Policy-Engine Firewall in the Aruba Network’s product
can protect these devices even further by examining all
traffic from weakly encrypted devices and limited what
they can do on the network to the narrowest context
possible.
2. TKIP Encryption
http://airheads.arubanetworks.com/article/wireless-client-security-demystified-tkip-encryption
TKIP is an encryption protocol used in 802.11 networks
and is part of the IEEE 802.11i standard. TKIP was
designed as a successor to WEP that could be implemented
without replacing legacy hardware. This was necessary due
to the ease with which WEP keys could be broken; leaving
Wi-Fi networks vulnerable and without a viable link-layer
security solution. It was deemed that solving this problem
could not wait for new hardware to become available –
hence the imperative to provide legacy support.
How TKIP Works
TKIP was designed to work in a way very similar to WEP.
This was by design and intention. TKIP is a suite of
algorithms that works as a "wrapper" to WEP, which
allows users of legacy WLAN equipment to upgrade to
TKIP without replacing hardware. TKIP uses the original
WEP programming and concept of a pre-shared key but
"wraps" additional code at the beginning and end to
encapsulate and modify it. Like WEP, TKIP uses the RC4
stream encryption algorithm as its basis. The new protocol,
however, encrypts each data packet with a unique
encryption key. These keys are also much stronger,
cryptographically speaking, than those of its predecessor,
WEP.
TKIP includes four additional algorithms that set it apart
from WEP:
• A cryptographic message integrity check
• An initialization-vector (IV) sequencing mechanism that
hashes the IV bits and changes the rules for the size,
reuse and values of the IV
• Change the encryption key for every frame
• A mechanism to distribute and change the broadcast
keys automatically – this creates a hierarchy of keys and
protects the master key
TKIP is superior to WEP in many ways and solves many
of its problems. However there are some things that TKIP
just can't fix. These include:
• No key rotation/updates – the same static pre-shared
master key (PSK) must be shared somehow with all
clients before they are allowed to associate with the
WLAN. The TKIP protocol makes no provision for
automatically generating new master keys
• Weak encryption algorithm – like WEP, TKIP relies on
the RC4 cipher, which is not considered the highest
level of security available. RC4 is not approved for
government use
TKIP has been shown to be a cryptographically sound
protocol that has no known major weaknesses today.
However, the very security conscious may want to consider
an entirely new protocol that does not rely on backwards
compatibility and thus could be made stronger and
incorporate new features.
The 802.11i standard specifies the Advanced Encryption
Standard (AES) in addition to TKIP. AES offers a higher
level of security and is approved for government use. As
organizations replace older wireless equipment, AES is
expected to become the accepted encryption standard for
WLAN security.
3. AES-CCMP Encryption
http://airheads.arubanetworks.com/article/wireless-client-security-dem
ystified-aes-ccmp-encryption
This is the third in a series of articles discussing various
security protocols and mechanisms for wireless client
security.
As mentioned last week, the 802.11i standard includes the
Advanced Encryption Standard (AES) crypto cipher and an
accompanying operating mode, or encryption algorithm,
Counter-Mode/CBC MAC Protocol (CCMP). AES is often
referred to as the encryption protocol used by 802.11i,
however AES itself is simply a block cipher. The actual
encryption protocol is CCMP. AES is the successor to the
Data Encryption Standard (DES) and satisfies US
government security requirements.
Robust Security Network (RSN) is part of the 802.11i
IEEE standard and negotiates authentication and
encryption algorithms between access points and wireless
clients. This flexibility allows new algorithms to be added
at any time and supported alongside previous algorithms. It
is important to note here that, although the 802.11i
standard allows for TKIP encryption, the use of
AES-CCMP is mandated for RSNs. This is discussed in
greater detail in a later article where we examine the
802.11i specification itself.
RSN uses the Advanced Encryption Standard (AES), along
with 802.1x and EAP. The security protocol that RSN
builds on AES is called the Counter Mode CBC MAC
Protocol (CCMP). AES supports key lengths up to 256
bits, but is often not compatible with older hardware.
However, there is a specification designed to allow RSN
and WEP to coexist on the same wireless LAN; it's called
Transitional Security Network or TSN. It's important to
note, however, that a WLAN on which some devices are
still using WEP is not optimally secured.
How AES-CCMP Works
The CCMP protocol is based on the AES encryption cipher
using the Counter Mode with CBC-MAC (CCM) mode of
operation. The CCM mode combines Counter (CTR) mode
privacy and Cipher Block Chaining Message
Authentication Code (CBC-MAC) authentication. CCMP,
in the context of Wi-Fi security, is often referred to as
AES-CCMP or simply AES. A more complete description
of AES can be found at
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard.
AES processing in CCMP must use AES 128-bit key and
128-bit block size. Per FIPS 197 standard, the AES
algorithm (a block cipher) uses blocks of 128 bits, cipher
keys with lengths of 128, 192 and 256 bits, as well as a
number of rounds 10, 12 and 14 respectively.
AES-CCMP introduces a higher level of security from
past protocols by providing protection for the MAC
protocol data unit (MPDU) and parts of the 802.11 MAC
headers. This protects even more of the data packet from
eavesdropping and tampering.
AES-CCMP is superior to WEP and TKIP in many ways:
• AES-CCMP was built from the ground up specifically
for 802.11 encryption – it goes far beyond the RC4
steam cipher used by WEP and TKIP
• AES-CCMP offers greater data privacy by encrypting
parts of the 802.11 header
The major drawbacks of AES include:
• No key rotation/updates – the same static pre-shared
master key (PSK) must be shared somehow with all
clients before they are allowed to associate with the
WLAN. The AES-CCMP protocol makes no provision
for automatically generating new master keys
• Hardware requirements – AES-CCMP is not backwards
compatible with legacy Wi-Fi hardware. This means
AES-CCMP deployments may require a firmware or
hardware upgrade
4. EAP Authentication
http://airheads.arubanetworks.com/article/wireless-client-security-dem
ystified-eap-authentication
The Extensible Authentication Protocol (EAP) or RFC
3748 is, very simply, a transport protocol that has been
optimized for authentication. It is important to note that
EAP is not, in itself, an authentication protocol, even
though it is often referred to that way. The EAP protocol
expands on authentication methods used by the Point-
to-Point Protocol (PPP). EAP can support multiple
authentication mechanisms such as token cards, smart
cards, digital certificates, one- time passwords, and public
key encryption. This section will focus on the popular
EAP/authentication combinations and discuss how each
works within a wireless security framework.
In this article, EAP is always used in a wireless LAN
context – therefore a more correct name for the EAP
protocol is EAPOL, or EAP over LAN.
How EAP Works
Here's how it works: a user requests connection to a
wireless network through an access point. The access point
requests identification data from the user and transmits that
data to an authentication server. The authentication server
asks the access point for proof of the validity of the
credentials. After the access point obtains that verification
from the user and sends it back to the authentication server,
the user is connected to the network as requested. There
are many different types or "flavors" of EAP. The
difference between these is in how the identification
credentials are requested and transmitted.
EAP Flavors
There are many different combinations of EAP and
authentication types. A complete listing is available at
http://www.iana.org/assignments/eap- numbers. The
following list offers a description of the most popular
versions as well as some design considerations:
EAP-MD-5 (Message Digest) is an EAP authentication
type that provides base-level EAP support. EAP-MD-5 is
typically not recommended for wireless LAN implementa-
tions because it may allow a user's password to be derived.
It also provides for one-way authentication only - there is PEAP (Protected Extensible Authentication Protocol)
no mutual authentication of wireless client and the network. provides a method to transport securely authentication
More importantly it does not provide a means to derive data, including legacy password-based protocols, via
dynamic, per session wired equivalent privacy (WEP) keys 802.11 wireless networks. PEAP accomplishes this by
using tunneling between PEAP clients and an
EAP-TLS (Transport Layer Security) provides for
authentication server. Like the competing standard,
certificate-based and mutual authentication of the client
Tunneled Transport Layer Security (TTLS), PEAP
and the network. It relies on client-side and server-side
authenticates wireless LAN clients using only server-side
certificates to perform authentication and can be used to
certificates (although client certificates are allowed as an
dynamically generate user-based and session-based WEP
option), thus simplifying the implementation and
keys to secure subsequent communications between the
administration of a secure wireless LAN. There are two
WLAN client and the access point. One drawback of
competing versions today: PEAPv0
EAP-TLS is that certificates must be managed on both the
(PEAP-EAP-MSChapv2) from Microsoft and PEAPv1
client and server side. For a large WLAN installation, this
(PEAP-GTC) from Cisco. Microsoft PEAP is considered
could be a very cumbersome task.
the mainstream PEAP and user authentication protocol. As
EAP-TTLS (Tunneled Transport Layer Security) was mentioned before, PEAP requires a tunneling protocol that
developed by Funk Software and Certicom, as an extension actually performs the authentication.
of EAP-TLS. This security method provides for
EAP-MSCHAP2 is an EAP encapsulation of
certificate-based, mutual authentication of the client and
MS-CHAP-v2 (RFC- 2759). MS-CHAP-v2 requires a user
network through an encrypted channel (or "tunnel"), as well
name and password. This protocol is rarely used on its
as a means to derive dynamic, per-user, per-session WEP
own. Instead it is typically used inside of a
keys. Unlike EAP-TLS, EAP-TTLS requires only server-side
PEAP-encrypted tunnel as described above
certificates.
EAP-GTC (Generic Token Card) is an alternative to
LEAP (Lightweight Extensible Authentication Protocol) is a
EAP-MSCHAPv2 and is used in Cisco's PEAPv1 protocol.
proprietary EAP authentication type used primarily in Cisco
This protocol makes use of digital certificates to establish
Aironet WLANs. It encrypts data transmissions using
the inner tunnel
dynamically generated WEP keys, and supports mutual
authentication. Like WEP, LEAP has also been broken with Each combination of EAP plus an authentication type
publicly available tools; compromising user credentials and offers a unique approach to authentication. Which one to
accounts. use is generally determined by the level of security
required, the amount of administrative/management
EAP-FAST (Flexible Authentication via Secure Tunneling)
overhead desired, and the limitations of the clients
is another proprietary EAP developed by Cisco. Instead of
(supplicants) that will implement EAP as well as the
using a certificate, mutual authentication is achieved by
capabilities of the RADIUS servers used in the deployment.
means of a PAC (Protected Access Credential), which can be
managed dynamically by the authentication server. The PAC The following table provides a side-by-side comparison of
can be provisioned (distributed one time) to the client either the EAP types:
manually or automatically. EAP-FAST has seen some
popularity, but has been shown to have security issues.

Feature/Benefit MD5 TLS TTLS PEAP LEAP FAST GTC

Client-side
No Yes No No No No (PAC) No
authentication/certificate required
Server-side
No Yes Yes Yes No No (PAC) Yes
authentication/certificate required

Authentication method One-way Mutual Mutual Mutual Mutual Mutual Mutual

Moderate
Deployment complexity Low High Moderate Moderate Moderate Moderate
to high
Medium
Security strength Low Highest High High Low High
to high
EAP Summary
Based on this table, we can draw some reasonably clear
conclusions:
TLS, while very secure, requires client certificates to be
installed on each wireless workstation. Installing and
maintaining a PKI infrastructure must be part of any TLS
installation and does create more administrative overhead.
If a working PKI already exists, TLS is a very good option
TTLS addresses the certificate issue by tunneling TLS, and
thus eliminating the need for a certificate on the client side.
If a working PKI structure does not exist, this is an option
worth considering
LEAP is one of the earliest EAP implementations; however
inherent security flaws have now made it less popular and
it is not recommended
EAP-FAST promises to be as easy as LEAP but as secure
as PEAP, however it has different implementation and
operational modes that, ultimately, offer a compromise.
The highest security, ultimately, ends up looking very
similar to PEAP – without the widespread client support
that PEAP enjoys
PEAP works similarly to EAP-TTLS in that it does not
require a certificate on the client side and is natively
supported by many client operating systems. PEAP is the
protocol of choice when client-side certificates are not
required. When deploying PEAP, EAP-MSChapv2 is
likewise the protocol of choice as compared to EAP-GTC.
This is primarily due to the fact that EAP-GTC it is not
supported by Microsoft’s IAS RADIUS server or the
native Windows supplicant
More information on the many different EAP protocols can
be found at
http://en.wikipedia.org/wiki/Extensible_Authentication_Pro
tocol.
5. 802.1x Access Control
https://airheads.arubanetworks.com/article/wireless-client-security-demystified-802-1x-access-cont
rol
802.1x is an IEEE standard designed to enforce authentication
of a client before Layer 2 access to the network is permitted.
The 802.1x protocol consists of three parts:
Supplicant, or client, is software running on a device trying to
gain access to the network
Authentication server is the system that validates client
credentials and determines if the client should be allowed
access. The authentication server must be a RADIUS5 server.
Remote Authentication Dial-In User Service (RADIUS) is
defined in RFC-2865 and other, later documents. It was
originally designed to provide centralized authentication,
authorization and access control (AAA) for dial-up ISP
connections. The 802.1x standard mandates an AAA server as
the back-end server. R ADIUS is the only AAA server
supported today. Theoretically, other types of AAA servers
could be used, but nothing has been standardized or
implemented as of this writing
Authenticator is a piece of software running on the device that
communicates with both the supplicant and the authentication
server and enforces the authentication server’s deny or permit
directive
The supplicant and the authenticator use the Extensible
Authentication Protocol (EAP) to securely negotiate
authentication. As we discussed last week, there are several
different types of EAP in use today that offer different
advantages and disadvantages. During the authentication
process, the authentication server and the supplicant negotiate
which type of EAP they will use for the authentication
transaction. Both devices must mutually support the choice of
EAP. If they cannot agree on a mutual EAP authentication
process, 802.1x fails.
How 8 02.1x W orks
Here are the steps that must occur before 802.1x will allow a
device access to the network:
A wireless client device (supplicant) requests access to a
WLAN. An authenticator (access point/mobility controller)
asks for the supplicant’s identity. No other traffic than EAP is
allowed at this point, i.e. the “port” is closed
The supplicant responds to the authenticator with identity data
that will estab lish its credentials. EAP, the protocol used to
transport authentication messages, was originally used for
dial-up PPP. The identity was the user name and was sent in
the clear (not encrypted). A malicious sniffer might capture
this and learn the user’s identity. Identity hiding is therefore
used; the real identity is not sent before an encrypted session
is established
After the identity has been sent, the authentication process
begins. The authenticator re-encapsulates the EAPOL
messages to RADIUS format and passes them to the
authentication server. During the authentication process, the
authenticator simply translates and relays packets between the
supplicant and the authentication server
Each authentication process is slightly different, depending on
the type of EAP authentication used, however, at some point
the authentication server will send a success or failure message
If the authentication server transmits a success message, the
authenticator opens the “port” for the supplicant and network
access is granted. If a failure message is sent, the port is not
opened. This supplicant is free at this point to try again and
validation.
802.1x offers a powerful access control mechanism. Unlike
any other protocol discussed in this document, 802.1x ensures
a client device has absolutely no network access before
authentication
The advantages of 802.1x are:
• High level of network access control
• Can work with other protocols to provide authentication
and encryption
• Key distribution and rotation
The major drawbacks of 802.1x are:
• No encryption – the 802.1x protocol, in and of itself,
does not include an encryption algorithm and must be
used with an encryption protocol such as WEP, TKIP or
AES
• No authentication – the 802.1x protocol does not include
authentication, thus it must be coupled with a protocol
such as EAP
• RADIUS requirement – the 802.1x protocol only
supports RADIUS today as a de facto standard for
authentication server messages. This means a RADIUS
authentication server, or proxy, must be used even if the
actual authentication server is some other protocol such
as LDAP
Even with these issues, 802.1x is still an extremely effective
security protocol when coupled with other standards such as
EAP.
6. 802.11i, WPA2 and xSec
https://airheads.arubanetworks.com/article/wireless-client-security-de
mystified-802-11i-wpa2-and-xsec
IEEE 802.11i is an amendment to the original 802.11
standard specifying security mechanisms for wireless
networks (Wi-Fi). The draft standard was ratified on June
24, 2004, and supersedes the previous security
specification, Wired Equivalent Privacy (WEP), which was
shown to have severe security weaknesses.
How 802.11i Works
The 802.11i architecture contains four key components:
• 802.1x, EAP and an authentication server for
authentication
• RSN to keep track of associations and client-AP
security negotiations
• AES-CCMP for confidentiality and integrity
• A four-way handshake
802.1x and EAP in 802.11
We discussed 802.1x previously and how it works with
EAP to provide authentication within the wireless LAN
infrastructure. 8011.i includes 802.1x and EAP and further
improves upon this model.
Robust Security Network (RSN)
802.11i uses the concept of a Robust Security Network
(RSN). In an RSN, wireless devices need to support
additional capabilities. In a true RSN, WLAN access
points/system only allow RSN mobile devices to connect.
Because not all wireless NICs are RSN-capable, an
intermediate network has been defined called Transitional
Security Network (TSN). A TSN is similar to an RSN in
concept and architecture, but does not implement all of the
mandatory capabilities and mechanisms.
AES-CCMP
As discussed in a previous article, 802.11i makes use of
AES-CCMP for encryption and data integrity.
Four-way Handshake
In a wireless network, there are two authentications that
need to happen:
The access point (controller in a thin network) must
authenticate itself to the wireless client
The client and AP/controller must successfully derive keys
to encrypt traffic
The earlier EAP exchange provides the shared secret key
PMK (Pairwise Master Key). This key is designed to last
the entire session and therefore should be exposed as little
as possible. This is performed with a process called the
four-way handshake. The entire mission of the handshake
is to establish another key called the PTK (Pairwise
Transient Key). The PTK is generated by concatenating the
following attributes: PMK, AP nonce (ANonce), STA
nonce (SNonce), AP MAC address and STA MAC
address. The product is then put through a cryptographic
hash function. This handshake also produces a Group
Transient Key (GTK) which is used for broadcast and
multicast traffic. Here’s how it works:
The AP sends a one-time random number (called the
nonce-value) to the station (ANonce). The client now has
all the attributes to construct the PTK
The station (STA) sends its own nonce-value (SNonce) to
the AP with a Message Integrity Checksum (MIC)
The AP sends the GTK and a sequence number together
with another MIC checksum. The sequence number is what
will be used in the next multicast or broadcast frame, so
that the receiving station can do a basic replay detection
operation
The station then sends a confirmation to the AP
The PTK obtained from this handshake is divided into five
separate keys:
Pairwise Transient Key (PTK)
EAPOL-Key Encryption Key (KEK) - AP uses this key to
encrypt additional data sent (in the 'Key Data' field) to the
client (for example, the RSN IE or the GTK)
EAPOL-Key Confirmation Key (KCK)– Used to compute
MIC on WPA EAPOL Key message
Temporal Key (TK) – Used to encrypt/decrypt Unicast
data packets
Michael MIC Authenticator Tx Key – Used to compute
MIC on unicast data packets transmitted by the AP
Note: the Michael MIC keys are only used if TKIP is used
to encrypt the data.
802.11i has been designed from the ground up using
proven technologies. Although no security system can ever
be considered totally unbreakable, 802.11i security is a
dependable solution and shows no weaknesses at this time.
As an entire security eco-system, 802.11i combines many
of the fundamental protocols discussed in this series of
articles. It offers a complete solution:
Access control – offers a high level of network access
control through mechanisms such as 802.1x
Encryption – offers AES-CCMP as proven, highly
regarded cryptographic algorithms that go far beyond the
RC4 stream cipher used by WEP and TKIP. AES-CCMP
also goes farther by encrypting parts of the 802.11 header
Authentication – is offered using the industry standard
EAP and its associated authentication types
Key generation/distribution and rotation - the ability to
derive a hierarchy of keys from a master key, this is
typically performed by EAP and 802.1x
WPA2
Wi-Fi Protected Access v2.0 (WPA2) is an implementation
of the IEEE 802.11i standard tested and certified by the
Wi-Fi Alliance. It is interoperable with any other
802.11i-compliant system. WPA2 implements the
mandatory elements of 802.11i. In particular, the Michael
algorithm is replaced by a message authentication code,
CCMP, that is considered fully secure and RC4 is replaced
by AES.
How WPA2 Security Works
WPA2 works just like the 802.11i standard and supports
all of the mandatory features and capabilities. WPA2 is
often used interchangeably with 802.11i.
xSec
A variant on the 802.11i standard is xSec. xSec is a joint
effort between Funk Software (now Juniper) and Aruba
Networks. It was created to meet the requirements of
FIPS-140-2 certification as a Layer 2 protocol. The
original 802.11i standard is, as specified, able to pass this
certification. xSec encompasses all of the benefits of
802.11i and improves upon them even further:
Access control – offers a high level of network access
control through mechanisms such as 802.1x
Encryption – offers AEC-CBC-256, a encryption protocol
approved for government use for Layer 2 data
transmissions, with HMAC-SHA1 for complete 802.11
header encryption
Authentication – is offered using the industry standard
EAP and its associated authentication types
Key generation/distribution and rotation - the ability to
derive a hierarchy of keys from a master key, this is
typically performed by EAP and 802.1x
Universal media support - xSec is unique in that it works
across both wired and wireless networks
Although xSec offers benefits above and beyond the
802.11i standard, it is worth mentioning that it does require
a specific supplicant that supports xSec. Today that client
is the Odyssey client sold by Funk, now Juniper Systems.
7. WPA • MIC packet integrity checking prevents packet replay
attacks
https://airheads.arubanetworks.com/article/wireless-client-security-de
mystified-wpa#top • Backwards-compatible with most 802.11 network cards
Wi-Fi Protected Access (WPA) was developed by the
Wi-Fi Alliance as an interim solution aimed at addressing The major drawbacks of WPA include:
the weakness of WEP-based wireless networks. WPA has, • Backwards-compatibility limits crypto operations – thus
rightly, been admired as a masterpiece of retro engineering. encryption is still ultimately based on RC4, as is WEP
It addresses the weaknesses of WEP and the result is a very • TKIP is not FIPS-certified or approved for US
secure security system that is backwardly compatible with government use
most existing Wi-Fi compliant equipment. WPA is a
practical solution that will provide more than adequate • WPA, as an interim solution, is not compatible with
security for most wireless network applications. pure 802.11i/RSN environments. Some vendors, such
as Aruba Networks, do offer a mixed mode which
How WPA Works allows both WPA-TKIP and WPA-AES on the same
WPA is designed for use with an 802.1X/EAP SSID
authentication server, which distributes different keys to
each user. However, it can also be used in a less secure
"pre-shared key" (PSK) mode, where every user is given Coming next: The Final Frontier: Wireless Client Security
the same passphrase – a passphrase is similar to a Guidelines
password. The Wi-Fi Alliance calls the pre-shared key
version WPA Personal and the 802.1X authentication
version WPA Enterprise.
Unlike the 802.11i standard that uses AES-CCMP by
default, WPA data is encrypted using TKIP’s RC4 stream
cipher, with a 128-bit key and a 48-bit initialization vector
(IV). One major improvement in WPA over WEP is the use
of the Temporal Key Integrity Protocol (TKIP), which
dynamically changes keys as the system is used. When
combined with the much larger IV, this defeats the
well-known key recovery attacks that were discovered with
WEP.
In addition to authentication and encryption, WPA also
provides vastly improved payload integrity when compared
to WEP. The cyclic redundancy check (CRC) used in WEP
is inherently insecure; it is possible to alter the payload and
update the message CRC without knowing the WEP key. A
more secure message authentication code (MIC) is used in
WPA.( Called MIC for Message Integrity Code, it also
happens to be based on an algorithm called Michael._ The
MIC used in WPA includes a frame counter, which
prevents replay attacks from being executed; this was
another weakness in WEP.
By any measure, WPA is a strong security system. Any
system using WPA today will have addressed the major
shortcomings of the original 802.11 standard.
Major features of WPA include:
• Use of 802.1x for access control and authentication
• TKIP encryption that is far stronger than WEP and
fixes many issues with larger keys, IVs and changing
keys
• Key management and distribution scheme (PSK is also
still supported)